http://qs1969.pair.com?node_id=509463

sara2005 has asked for the wisdom of the Perl Monks concerning the following question:

Hello Monks,

I have set-up a web page (intranet) which validates the user's unix password for authentication. All I do is get the userid /password and try to ftp to the unix server using Net::FTP. I allow or deny further access based on the return value. To further tighten up, I am planning to have an authorized users list, which the program will first check before trying the ftp.

I am just curious to know if there are any security issues with this because the important CTQ is to use the Unix ID for validation?

Would appreciate your thoughts on this.

Replies are listed 'Best First'.
Re: Unix Password for validation
by CountOrlok (Friar) on Nov 17, 2005 at 17:02 UTC
    My understanding of FTP is that is not a secure protocol. When you try to connect to the server using FTP, you'll be sending clear text passwords, so anyone listening in on the connection would find out the password. Not a good idea.

    If you could use Net::SSH instead, it would be better. It would involve some more work though.

    -Imran

Re: Unix Password for validation
by blue_cowdawg (Monsignor) on Nov 17, 2005 at 17:07 UTC
        Would appreciate your thoughts on this.

    My first thought is that from your description you seem to be going to a lot of effort to accomplish a simple task. In fact, IMHO you are going abou this backwards.

    First I'd come up with the list of authorized users. Secondly I'd leave the Unix passwords out of the equation and use another repository to store authentication tokens other than /etc/password and/or /etc/shadow. In fact, if your Unix system has implemented shadow files (and most these days do) then you shouldn't be able to access /etc/shadow from your web application. If you can then you are introducing other security issues that I believe are beyond the scope of this discussion.

    If you want the userids and passwords to match the account ids and passwords issued for Unix accounts then I'd say import them into another repository from Unix and let your application access them from there. Keeping your list of authorized uers then becomes just an excercise of importing just the users you need and leaving out the rest.

    What repository you ask? Investigate .htpassword files for one, LDAP is a good solution and so might be putting the account data in a relational database.

    The major drawback to importing the Unix account information that I can think of (besides wire snooping and other evil things) is password synchronization becomes an issue. So does user administration from the perspective of adds/changes/deletes.

    If you are lucky enough that your company has standardized on something like LDAP for user authentication then your application should be able to access account logins from there. In fact whoever your LDAP administrator is can set up an ACL and group tailored to the list of who is authorized to use your application relieving you of that burden.

    Just my US$0.02 worth.. HTH...


    Peter L. Berghold -- Unix Professional
    Peter -at- Berghold -dot- Net; AOL IM redcowdawg Yahoo IM: blue_cowdawg
Re: Unix Password for validation
by idsfa (Vicar) on Nov 17, 2005 at 17:12 UTC

    In general, it is not a good security practice to send passwords unencrypted, even over your intranet. As has been mentioned, FTP is not encrypted. Of course, if you have not set up your web page with SSL, neither is your web session, so changing to SSH will not really solve the problem.

    If your web server is Apache, you can use mod_auth_pam or mod_auth_shadow. More info would be needed about the web server and OS to get more specific ...


    The intelligent reader will judge for himself. Without examining the facts fully and fairly, there is no way of knowing whether vox populi is really vox dei, or merely vox asinorum. — Cyrus H. Gordon
Re: Unix Password for validation
by radiantmatrix (Parson) on Nov 17, 2005 at 18:18 UTC

    Depending on your UNIX flavor, you might have the Pluggable Authentication Module available. If you do, this is incredibly simple using Authen::SimplePam:

    use Authen::SimplePam; my $auth = Authen::SimplePam->new(); my $result = $auth->auth_user($username, $password, 'login'); if ( $result == 1 ) { print 'User logged in OK!' } else { print 'Login failed: ',$auth->result2string($result); }

    If you are doing this without the benefit of PAM, it could be trickier.

    As for security issues, what you really want to do is not send things over clear text -- this means FTP is a poor choice. Try SSH or another secure protocol. Also, your approach of logging in once and then allowing access based on the result code is probably not the best. With something like PAM available, it would be best to actually authenticate each operation that needs privileges.

    Unfortunately, that's all the more specific I can be with such a vague question.

    <-radiant.matrix->
    A collection of thoughts and links from the minds of geeks
    The Code that can be seen is not the true Code
    "In any sufficiently large group of people, most are idiots" - Kaa's Law

      Thanks for the suggestion.

      I was able to install PAM module and the authentication worked fine except that I also got a message

      Subroutine PAM_BINARY_PROMPT redefined at ~/perllib/Authen/SimplePam.pm : line 56

      Sorry that I was not clear in the initial post. I intend to have every page and operation validated by calling this function before doing anything.

      Thanks again for your help